ClawHub

Openclaw Super Skills

Security checks across malware telemetry and agentic risk

Overview

This appears to be a disclosed skill-management helper, but users should review any third-party skills before installing or creating them.

Before installing, confirm you want a skill that can guide discovery, installation, or creation of other skills. Review any skill it recommends or generates, prefer trusted publishers, avoid global installs unless you need them, and approve changes to your agent setup deliberately.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly promotes searching for, installing, and creating skills, including global installation commands, but does not warn that third-party skills may execute code or change the local environment. In this context, the skill is specifically designed to automate discovery and generation of additional skills, which increases the chance that users will trust and run unreviewed code from external sources.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill description is so broad that it can trigger on many normal multi-step requests, causing this skill to be invoked frequently and potentially enabling unnecessary capability expansion such as skill discovery, installation, or creation. In an agent environment, overbroad activation increases attack surface because benign user requests may be routed into workflows that introduce external code, credentials, or automation steps not actually required.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal